Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract multiple fields and create a table?

bharat149
Explorer
‎08-02-2023 02:00 AM

02.08.2023 12:44:10.690 *INFO* [sling-threadpool-2cfa6523-0895-49ea-bb99-ae6f63c25cf6-32-Create Site from Template(aaa/jobs/abc)] bbb.CreateSiteFromSiteTemplateJobExecutor Private Site : ‘site4’ created by user : ‘admin’ with MRNumber :  ‘dr4’

I want to extract site , user and DR number and create table

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 02:12 AM

You have been shown how to use rex before - how could you modify this to locate (anchor) the string that you want and extract the data into a field using a pattern?

Get customer ID form logs - Splunk Community

0 Karma
Reply

bharat149
Explorer
‎08-02-2023 02:37 AM
Spoiler
i need splunk querry
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 02:46 AM

OK what rex command have you tried so far?

0 Karma
Reply

bharat149
Explorer
‎08-02-2023 03:22 AM

sourcetype=log | rex "Private Site : ‘(?[^’]+)’ created by user : ‘(?[^’]+)’ with DRNumber : ‘(?[^’]+)’" | table site, user ,drnumber

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 03:30 AM

Looks like you just need to name the capture groups with the field names you want to use

sourcetype=log | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drumber>[^']+)'" | table site, user ,drnumber

By the way, it looks like the single quotes may have been changed when you pasted your example in. It is best to use code blocks </> as I have just done to ensure formatting and content changes don't occur when showing events and SPL code.

0 Karma
Reply

bharat149
Explorer
‎08-02-2023 03:40 AM

source="error1.log" host="Bharats-MacBook-Pro.local" sourcetype="test1" | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drNumber>[^']+)'"

Rex is not wokring all the logs are getting printed

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 03:53 AM

Your search doesn't appear to have any filtering so I would have expected all logs to have been shown

0 Karma
Reply

bharat149
Explorer
‎08-02-2023 03:58 AM

How to selected only the rex events only

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2023 04:10 AM

You could add your anchor strings to the initial search

sourcetype=log "Private Site : " " created by user : " " with DRNumber :" | rex "Private Site : '(?<site>[^']+)' created by user : '(?<user>[^']+)' with DRNumber : '(?<drumber>[^']+)'" | table site, user ,drnumber
0 Karma
Reply

bharat149
Explorer
‎08-02-2023 03:39 AM

Not working 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...